[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] stack protection in mini-os

  • To: xen-devel@xxxxxxxxxxxxxxxxxxx
  • From: "Harald Roeck" <hroeck@xxxxxxxxx>
  • Date: Thu, 31 Jul 2008 13:58:36 -0700
  • Delivery-date: Thu, 31 Jul 2008 13:59:27 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=TbK6CMo1iRpGhtRpNxf5T94cz/ex3glRK5N/aEJOgO7CwEQ9TRUBqWKOk9yLZ3DNZA Eh7EYuJQ2AkeiCyQW4LRVn/0hyCaUs2xXoIzlmx2skz8oefcpsyg7MiC/iouMmmiWZjy n7+HCh76kV3FV6gp+bHJU3JKz/08xb3oObrXk=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
Hello,

we have a small OS based on mini-os running on a x86_64, and we would
like to implement a stack protection mechanism to catch stack
overflows. All threads are running in kernel mode and we tried to map
out the last stack page. If we overflow the stack and run into the
mapped out stack page xen crashes and the machine reboots. it looks
like xen is trying to push the arguments for the page fault trap onto
the mapped out page. If we mark the last stack page as read-only, only
the guest crashes and the hypervisor is still working. the guest
crashes with the following output on the console:

domain_crash_sync called from entry.S
Domain 2 (vcpu#0) crashed on cpu#1:
----[ Xen-3.1.4-xvm-debug  x86_64  debug=y  Not tainted ]----
CPU:    1
RIP:    e033:[<000000000001583f>]
RFLAGS: 0000000000010246   CONTEXT: guest
rax: 0000000000000000   rbx: 000000000000cb12   rcx: 000000000007b050
rdx: 000000000007b3d0   rsi: 000000000003309f   rdi: 0000000000032caa
rbp: 000000000007b120   rsp: 000000000007aff0   r8:  0000000000000010
r9:  00000000ffffffff   r10: 000000000003309f   r11: 0000000000032ca7
r12: 0000000000000000   r13: 0000000000000000   r14: 0000000000000000
r15: 0000000000000000   cr0: 000000008005003b   cr4: 00000000000006f0
cr3: 00000007ebeea000   cr2: 000000000007aff8
ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: e02b   cs: e033
...

fyi: the read only page in this setup was 0x7a000.

so my question: is it possible to set an "alternate" trap stack? We
already tried to set a kernel stack with the stack_switch hypercall,
but this stack is only used when trapping from user context, but we
never enter user context. Or are we missing something? what about
double faults, or the failsafe_callback? we never see any of them.

any suggestions or comments on how we could handle stack overflows are welcome.

thanks,
Harald

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.